Created attachment 200252 [details] [PATCH] Proposed Fix I'm not very familiar with this path, but this crash certainly seems possible (a port that doesn't set a plugin in client but has snapshotting enabled because the Setting is enabled by default). We should be resilient in such cases and not crash. Maybe it makes sense to ASSERT at some other point that a plugin client is set.

Comment on attachment 200252 [details] [PATCH] Proposed Fix View in context: https://bugs.webkit.org/attachment.cgi?id=200252&action=review > Source/WebCore/html/HTMLPlugInImageElement.cpp:648 > - if (document()->page()->settings()->autostartOriginPlugInSnapshottingEnabled() && document()->page()->plugInClient()->shouldAutoStartFromOrigin(document()->page()->mainFrame()->document()->baseURL().host(), url.host(), loadedMimeType())) { > + if (document()->page()->settings()->autostartOriginPlugInSnapshottingEnabled() && document()->page()->plugInClient() && document()->page()->plugInClient()->shouldAutoStartFromOrigin(document()->page()->mainFrame()->document()->baseURL().host(), url.host(), loadedMimeType())) { I think this would be way better with some local variables. One for document()->page() and another for document()->page()->plugInClient().

Comment on attachment 200252 [details] [PATCH] Proposed Fix Clearing flags on attachment: 200252 Committed r149469: <http://trac.webkit.org/changeset/149469>

All reviewed patches have been landed. Closing bug.